That model has worked, he said, but, "due to the sheer volume of security vendors today, CISOs have less time to be a vendor's guinea pig."
In an ideal world, Hay said, the CISO, "would have a technical staff to evaluate the tools," which would allow him to focus on the "strategic vision" of the security program - "policies, procedures, guidelines and standards that must be defined, maintained and measured," he said.
The CISO would then be brought in when a purchase decision needs to be made, "to validate that the products in question align with the organization's security goals," he said.
Of course, the ideal is not always reality. So experts generally agree that the overwhelmed CISO should focus not on what vendors are selling, but on what the organization needs.
Dan Waddell, managing director, North America region and director of U.S. Government Affairs for ISC2, said CISOs should understand the environment of their organizations, and then when presented with a product pitch, "ask all stakeholders to be present to provide input - not just the security team, but personnel from procurement/acquisition, finance, enterprise architects, etc.
(At a product pitch,) ask all stakeholders to be present to provide input - not just the security team, but personnel from procurement/acquisition, finance, enterprise architects, etc.
"The various perspectives will ensure that the solution aligns with the organization's policy, governance and staffing goals," he said.
Irfan Saif, a partner in Deloitte Advisory Cyber Risk Services, said the need to understand the organization's needs and business requirements is "paramount," and the failure to do that can lead to the use, or overuse, of, "overlapping or redundant tools that aren't integrated or aren't working in unison towards mitigating and managing key risks to the organization."
That, he said, "can distract from the more important task of truly understanding the risks and threats and designing the right solutions, which may include one or more technologies working in tandem."
Hutchinson agreed. "Focus on what your business needs, not what tools are available," she said, adding that it is also important to make sure security measures enable the business, and don't restrict what workers need to do.
"As a friend of mine says, 'the purpose of a door is to control the flow of people to and from the house.' If I put 50 locks on the door, it is most definitely secure but it no longer functions well as a door," she said.